Shocking state of website security in SA

Garyvdh don't forget the Code crackers? Slackers
Wastin' time with all the chatroom yakkers?
9 to 5, chillin' at Hewlett Packard?
 
This points to not only bad design, but bad or incomplete testing before going live.
 
Don't be silly, it's not the system's fault! Lock up these malicious hackers who keep illegally accessing these public URL's!!
 
sure the COJ must be feeling rather embarrassed... Oh wait, you need a brain for that.
 
Don't be silly, it's not the system's fault! Lock up these malicious hackers who keep illegally accessing these public URL's!!

There are some really highly paid people who created these systems.
'Government' contracts employ anyone to do the job, communication minister is a good example.
The 'business owner', probably never thought of security in the first place (remember this was promised and expected considering the sensitive information being used. It had to be visible on the proposal as a business requirement). There's an architect behind this, that should never have been in his position, as he avoided the most basic .... security. And I think the developers are as well to blame.

Everyone involved didn't do their job. Someone should definitely be arrested. But I don't think it's the user base.
 
I bet SQL injection will sail past a lot of these "secured" sites.
Everywhere i go these days people uses in-line sql and seem to be very happy about it.
 
One should ask all those IT service providers the following questions:
  • Are you dealing with credit card details and if so, have you actually undergone PCI training/certification and has the application/infrastructure been PCI tested?
  • Any IT service provider should have COBIT and ITIL certification. COBIT DS11.6 covers data security
  • Most companies (depending on the industry) will have to have compliance to ISO 27001 or as a bare minimum should have any of the above certifications/experience

You will find that none of the tender documents for those projects will cover any of the risk & governance processes or any level of appropriate data- or security management. It is actually quite scary when big consulting companies (who should have the necessary knowledge) make such fundamental mistakes.

You will find that none of the government- or corporate projects would have ever undergone an external security audit or penetration test and lack the basics in data-, application- or infrastructure security. The most obvious issues like incrementing an URL or forgetting about checking authentication/authorisation are still trivial. When you start looking at SQL injection (doh - prepared statements anyone?), XSS or infrastructure vulnerability - thats when it becomes interesting and hardly anyone has preventative maintenance in place.
 
Seriously how much brain power does it take to change parameters in a url,
any person with a single brain cell knows about this. Their system is flawed full stop
they learn to design secure systems from the get go and get with the times.


These guys should just get with the times
urls are typed in by users all the time to directly acess pages on websites.
 
Seriously how much brain power does it take to change parameters in a url,
any person with a single brain cell knows about this. Their system is flawed full stop
they learn to design secure systems from the get go and get with the times.


These guys should just get with the times
urls are typed in by users all the time to directly acess pages on websites.
 
Seriously how much brain power does it take to change a url parameter or number.
How many brain cells, amost zero one is required to have to be classified as a hacker now days.
versus those who can't desgin full stop.

Their system is flawed and they must just design better systems and get with the times.
To threat legal action for not know what they doing in the first place is just lamo.
I mean us as kids have been doing this for years.. Wake up call



In the first place search engines bots actually do pattern detection in urls and will then start generating
parameters for urls to full index websites, this been the case for years now!!!

with regards to the original artical on myboardband.
If you don't need to put a password into the document, page what ever the url returns
then you have acess to it! Evern if you have authenticated as someone else, the system
shoudl ensure you don't have acess to it.

If you don't want someone to have acess then return Error code or display a page content not found.

The rule of the web is if you can type in a url and it returns content
then it is allowed to be acessed. Even if you are authenticated as someone else it is the responsibility
of the system administator and designer to ensure that the end user can never acess anything
that he is not allowed to.

Let me desgin a machine and say we dont put a safty cage over all the motors and saw blades
and then say it the operators falt because he got to close. I dont think you let that fly
so why must we let infera, flawed websites like this fly in the first place!!
 
Top
Sign up to the MyBroadband newsletter